Abstract: Differential privacy has emerged as the main definition for private data
analysis and machine learning. The global model of differential privacy, which
assumes that users trust the data collector, provides strong privacy guarantees
and introduces small errors in the output. In contrast, applications of
differential privacy in commercial systems by Apple, Google, and Microsoft, use
the local model. Here, users do not trust the data collector, and hence
randomize their data before sending it to the data collector. Unfortunately,
local model is too strong for several important applications and hence is
limited in its applicability. In this work, we propose a framework based on
trusted processors and a new definition of differential privacy called
Oblivious Differential Privacy, which combines the best of both local and
global models. The algorithms we design in this framework show interesting
interplay of ideas from the streaming algorithms, oblivious algorithms, and
differential privacy.